Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found

To: debian-med@lists.debian.org
Subject: Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
From: Andreas Tille <andreas@an3as.eu>
Date: Mon, 24 Feb 2014 15:16:52 +0100
Message-id: <[🔎] 20140224141652.GB32034@an3as.eu>
In-reply-to: <[🔎] 20140224131910.GC5941@hermes.hilbert.loc>
References: <[🔎] 20140223073856.GA23744@an3as.eu> <[🔎] 20140223185325.GB9915@hermes.hilbert.loc> <[🔎] CANqxmqGHmBwD7Va-oNQ+5Ka4a-VUc3jNubEFue3JBA-iOEWcAQ@mail.gmail.com> <[🔎] 20140223213004.GE5073@an3as.eu> <[🔎] CANqxmqHD631d7LkTM8h=5hY8BCmEhVQPg9KCo9_XbOD-ymYW2w@mail.gmail.com> <[🔎] 20140223222916.GG9915@hermes.hilbert.loc> <[🔎] 20140224082127.GF22829@an3as.eu> <[🔎] CANqxmqFDmhwrGG+R-4g5s68=spQAgiecSjcSD83bD=-Jc_JCfQ@mail.gmail.com> <[🔎] 20140224125707.GJ22829@an3as.eu> <[🔎] 20140224131910.GC5941@hermes.hilbert.loc>

On Mon, Feb 24, 2014 at 02:19:10PM +0100, Karsten Hilbert wrote:
> > 
> > I'm aware that if you simply count the installed bytes the small sudo
> > package does close to no addition.  I'm rather concerned about the
> > principle to stick to the most simple way to approach a goal - if you
> > can do it with a standard tool of coreutils you simply should do it this
> > way.
> 
> That argument does not hold: coreutils will make things
> *possible*, not *simple*. Or else we need to define
> "simple" first.

Simple in terms of using the tools you can not (sensibly) avoid
installing on your machine anyway.

> > I think it is the other way around:  Any code you install without really
> > needing it might introduce some security whole.  So simply don't do it.
> 
> Unless the code you install (sudo) is more secure than the
> code that's already there (su) but doesn't get run as often
> due to the other code being installed.

Well, *every* software can have bugs - so the most secure way to be not
affected by a bug is to not install software you don't need.  The
smaller the set of packages you need to care for security wise the
better.

> > Considering that GNUHealth is running in critical environments like on
> > servers in hospitals you just want to minimise the intrusion vectors.
> > Not installing a not really needed package that might give you root
> > access is IMHO a vital advantage.
> 
> It is good practice for critical environments to not let users
> log in as/become root but rather *do* carefully constrained
> things as root -- and thusly, use sudo.

Well, I'm not vetoing against sudo.  I'm just saying that in the
specific case where the su/sudo functionality is used, you are just
root.  And installing sudo in its plain form does not prevent
people to become root, since in most practical cases the admin
does not mind to forbid `sudo su`.

> I'm just saying things can be looked at both ways.

I'm open to look from several ways - but your way was not (yet)
convincing. 

Kind regards

       Andreas.

-- 
http://fam-tille.de

Reply to:

References:
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Karsten Hilbert <Karsten.Hilbert@gmx.net>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Emilien Klein <emilien+debian@klein.st>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Emilien Klein <emilien+debian@klein.st>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Karsten Hilbert <Karsten.Hilbert@gmx.net>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Emilien Klein <emilien+debian@klein.st>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Andreas Tille <tille@debian.org>
- Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
  - From: Karsten Hilbert <Karsten.Hilbert@gmx.net>

Prev by Date: Re: [efmi-lifoss-wg] Call for participation - IWEEE 2014, 29-30 May, Las Palmas, Gran Canaria, Spain
Next by Date: Re: itk-4.5 and python
Previous by thread: Re: Bug#739657: gnuhealth-server: fails to install: gnuhealth-server.postinst: sudo: not found
Next by thread: Fwd: [efmi-lifoss-wg] Call for participation - IWEEE 2014, 29-30 May, Las Palmas, Gran Canaria, Spain
Index(es):
- Date
- Thread